b"              Audit Report\n\n\nThe Social Security Administration\xe2\x80\x99s\n Internal Controls over Issuing and\n Monitoring Contractors\xe2\x80\x99 Homeland\n Security Presidential Directive-12\n            Credentials\n\n\n\n\n        A-15-11-11178 | April 2013\n\x0cMEMORANDUM\n\n\nDate:      April 18, 2013                                                     Refer To:\n\nTo:        The Commissioner\nFrom:      Inspector General\nSubject:   The Social Security Administration\xe2\x80\x99s Internal Controls over Issuing and Monitoring Contractors\xe2\x80\x99\n           Homeland Security Presidential Directive-12 Credentials (A-15-11-11178)\n\n           The attached final report presents the results of our audit. Our objective was to determine\n           whether the Social Security Administration had appropriate and adequate internal controls over\n           issuing and monitoring Agency contractors\xe2\x80\x99 Homeland Security Presidential Directive-12\n           credentials.\n\n           If you wish to discuss the final report, please call me or have your staff contact\n           Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                           Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n           Attachment\n\x0cThe Social Security Administration\xe2\x80\x99s Internal Controls over\nIssuing and Monitoring Contractors\xe2\x80\x99 Homeland Security\nPresidential Directive-12 Credentials\nA-15-11-11178\nApril 2013                                                                Office of Audit Report Summary\n\nObjective                                 Our Findings\n\nTo determine whether the Social           We reviewed the processes for SSA components involved in\nSecurity Administration (SSA) had         HSPD-12 suitability and credentialing. Overall, we determined\nappropriate and adequate internal         that, in certain cases, SSA did not communicate the results of\ncontrols over issuing and monitoring      suitability determinations to the appropriate personnel, did not\nAgency contractors\xe2\x80\x99 Homeland              deactivate credentials timely or enforce the collection of credentials\nSecurity Presidential Directive-12        from terminated contractors. During our review, we found\n(HSPD-12) credentials.                    instances when SSA\xe2\x80\x99s components did not follow procedures for\n                                          (1) terminating unsuitable contractors and ensuring investigations\nBackground                                were complete, (2) cancelling terminated contractors\xe2\x80\x99 credentials,\n                                          and (3) enforcing the collection and destruction of credential cards.\nHSPD-12 requires that all Federal\nagencies develop and implement a          Our Recommendations\nmandatory, Government-wide standard\nof identification for Federal employees   We recommend SSA:\nand contractors. The purpose of\nHSPD-12 is to enhance security,           1. Ensure all components involved in the HSPD-12 suitability and\nincrease Government efficiency,              credentialing process effectively communicate unsuitable\nreduce identity fraud, and protect           determinations, contractor terminations and changes in SSA\npersonal privacy. The Federal                contracts including Contract Officer Technical Representative\nInformation Processing Standard 201          changes.\n(FIPS 201), Personal Identity\nVerification (PIV) of Federal             2. Perform periodic reconciliations between the suitability and\nEmployees and Contractors,                   credentialing systems to determine whether unsuitable or\nestablished a standard for a PIV system      terminated contractors have been terminated, their credentials\nbased on secure and reliable forms of        cancelled, and their suitability determination is correct in all\nidentification issued by the                 appropriate systems.\nGovernment to its employees and\n                                          3. Ensure contractors who have been terminated outside of the\ncontractors. Federal regulations\n                                             normal system termination process are also cancelled in all\nrequire that contractors comply with\n                                             systems.\nHSPD-12 PIV requirements.\n                                          4. Document its collection and destruction of terminated\n                                             credentials in accordance with FIPS 201.\n\n                                          The Agency agreed with our recommendations.\n\x0cTABLE OF CONTENTS\nObjective ..........................................................................................................................................1\nBackground ......................................................................................................................................1\n     SSA Components and Systems Involved in HSPD-12 PIV.......................................................1\n     Responsibilities of CPSPM ........................................................................................................2\n     Responsibilities of OPSS ...........................................................................................................3\nResults of Review ............................................................................................................................4\n     Procedures not followed for Terminating Unsuitable Contractors and Completing\n     Investigations .............................................................................................................................4\n           Unsuitable Contractors Continued Working on SSA Contracts ..........................................4\n           Terminated Unsuitable Contractors with Active Credentials ..............................................5\n           Active Contractors with Discontinued OPM Investigations ................................................5\n     Procedures not Followed for Cancelling Credentials of Terminated Contractors .....................6\n     Procedures for Collecting and Destroying Credentials not Enforced ........................................7\nConclusions ......................................................................................................................................8\nRecommendations ............................................................................................................................9\nAgency Comments ...........................................................................................................................9\nAppendix A \xe2\x80\x93 Scope and Methodology ..................................................................................... A-1\nAppendix B \xe2\x80\x93 Flowcharts and Narratives .................................................................................. B-1\nAppendix C \xe2\x80\x93 Agency Comments .............................................................................................. C-1\nAppendix D \xe2\x80\x93 Major Contributors.............................................................................................. D-1\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)\n\x0cABBREVIATIONS\nAIMS                 Administrative Instruction Manual System\n\nCERMS                Contractor Enrollment Request Management System\n\nC.F.R.               Code of Federal Regulations\n\nCMS                  Card Management System\n\nCO                   Contracting Officer\n\nCOTR                 Contracting Officer Technical Representative\n\nCPSPM                Center for Personnel Security and Project Management\n\nCSS                  Contractor Suitability System\n\nEDS                  Enrollment System\n\nEPECS                Electronic Personal Enrollment Credential System\n\nFIPS                 Federal Information Processing Standard\n\nHSPD-12              Homeland Security Presidential Directive\xe2\x80\x9312\n\nIDMS                 Identity Management System\n\nMRM                  Material Resources Manual\n\nOIG                  Office of the Inspector General\n\nOMB                  Office of Management and Budget\n\nOPM                  Office of Personnel Management\n\nOPSS                 Office of Protective Security Services\n\nPIV                  Personal Identity Verification\n\nSSA                  Social Security Administration\n\nSSASy                Streamlined Acquisition System\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)\n\x0cOBJECTIVE\nThe objective of this audit was to determine whether the Social Security Administration (SSA)\nhad appropriate and adequate internal controls over issuing and monitoring Agency contractors\xe2\x80\x99\nHomeland Security Presidential Directive-12 (HSPD-12) credentials.\n\nBACKGROUND\nHSPD-12 1 requires that all Federal agencies develop and implement a mandatory, Government-\nwide standard of identification for Federal employees and contractors. The purpose of HSPD-12\nis to enhance security, increase Government efficiency, reduce identity fraud, and protect\npersonal privacy.\n\nTo satisfy the HSPD-12 requirements, the National Institute of Standards and Technology issued\nFederal Information Processing Standard 201 (FIPS 201), Personal Identity Verification (PIV) of\nFederal Employees and Contractors. 2 FIPS 201 established a standard for a PIV system based\non secure and reliable forms of identification the Government issues to its employees and\ncontractors. Once the PIV process is complete, an individual\xe2\x80\x99s identity credentials are loaded\nonto a smart card called a PIV card or credential. The smart card contains stored identity\ncredentials, such as a photograph, fingerprint, and other personal information, so the cardholder\xe2\x80\x99s\nidentity can be electronically verified against the stored credentials. It functions as a visual\nidentification for physical access and as an automated identity verification for computer systems\naccess.\n\nFederal regulations 3 require that contractors comply with the requirements of HSPD-12 PIV.\nAccording to SSA policy, anyone requiring unescorted physical access to SSA facilities or\naccess to SSA information systems for any period of time must go through the HSPD-12 PIV\nprocess to receive a credential. 4\n\nSSA Components and Systems Involved in HSPD-12 PIV\nSSA\xe2\x80\x99s Center for Personnel Security and Project Management (CPSPM) and Office of Protective\nSecurity Services (OPSS) are involved in the PIV process. CPSPM conducts and oversees\nbackground investigations for SSA employees, contractors, students, volunteers and other\n\n\n\n1\n    HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004.\n2\n FIPS Publication 201-1, PIV of Federal Employees and Contractors, National Institute of Standards and\nTechnology, March 2006.\n3\n    48 C.F.R. \xc2\xa7 52.204-9(a).\n4\n Administrative Instructions Manual System (AIMS) Material Resources Manual (MRM) 04.51.05 and SSA\nMemorandum, Contractor Enrollment Request Management System (CERMS), October 8, 2008.\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                                 1\n\x0cindividuals requiring frequent access to SSA facilities or logical systems. OPSS implements and\nmanages the HSPD-12 process and FIPS 201 requirements. These two offices have different\nchains of command, as illustrated in Figure 1.\n\n                               Figure 1: Components Involved HSPD-12 PIV\n\n\n\n\nResponsibilities of CPSPM\nCPSPM is responsible for ensuring all contractors receive the appropriate personnel suitability\nbackground investigation required by Federal laws and regulations. 5 This includes making\nsuitability determinations and ensuring determinations are appropriately recorded in the system.\nOnce the process is complete, CPSPM notifies the Contracting Officer Technical Representative\n(COTR), the Contracting Officer (CO) and the contractor employer of the suitability adjudication\nby an automated suitability determination letter.\n\nThe suitability investigation provides a basis for the Agency\xe2\x80\x99s suitability determination. Federal\nregulation 6 states that the suitability determination is \xe2\x80\x9c. . . based on a person\xe2\x80\x99s character or\nconduct that may have an impact on the integrity or efficiency of service.\xe2\x80\x9d Certain factors are\nconsidered in determining suitability, including misconduct or negligence in employment,\n\n\n\n5\n    48 C.F.R. \xc2\xa7 52.204-9(a).\n6\n    5 C.F.R. \xc2\xa7 731.101(a).\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                    2\n\x0ccriminal or dishonest conduct, and fraud. 7 SSA stated that contract employees are investigated\nat the same risk level as Federal employees who perform the same type of work.\n\nOnce the contractor submits the application paperwork to SSA, CPSPM conducts an initial\nbackground check, including a fingerprint check, verification of social security number, selective\nservice registration, work authorization or citizenship and education, if indicated. CPSPM\nmakes an initial suitability determination based on the results of this background check. CPSPM\nsends a letter stating the initial suitability determination to the COTR, the CO and the contractor\nemployer. Suitable contractors may begin work on an SSA contract. CPSPM must also record\nthe suitability determination into the Identity Management System (IDMS) to initiate the creation\nof a credential. Only CPSPM has the authority to enter the suitability determination into IDMS.\n\nAfter making the initial determination, CPSPM sends the contractor\xe2\x80\x99s paperwork to the Office of\nPersonnel Management (OPM). OPM performs a more in-depth background investigation,\nincluding verifying employment, checking credit references, and contacting references.\nGenerally, OPM conducts investigations for SSA\xe2\x80\x99s contract employees.\n\nOnce OPM completes its background investigation, it sends CPSPM its results. CPSPM\xe2\x80\x99s initial\nsuitability determination is the final determination unless the results of the OPM investigation\ncause CPSPM to change the suitability determination. If CPSPM determines the contractor to be\nunsuitable based on OPM\xe2\x80\x99s findings, CPSPM prepares a second letter for the COTR, the CO and\nthe contractor employer stating that the contractor is unsuitable and must be removed from the\ncontract immediately. OPSS stated that the COTR should contact OPSS to ensure the credential\nis deactivated within 18 hours of notification as required by FIPS 201.\n\nCPSPM developed the Contractor Suitability System (CSS) to manage and maintain contractor\nbackground and suitability investigation information. CSS is for the sole use of CPSPM. It\nderives SSA contract information from SSA\xe2\x80\x99s Streamlined Acquisition System (SSASy).\nHowever, there are certain contracts not maintained in SSASy; these must be entered and\nupdated manually by CPSPM.\n\nResponsibilities of OPSS\nOPSS led the Agency\xe2\x80\x99s implementation of HSPD-12. OPSS directs SSA\xe2\x80\x99s physical and\nprotective security program and establishes policy to ensure the safety and security of SSA\nemployees, visitors, and property.\n\nAs a requirement of FIPS 201, OPSS created IDMS, which maintains all enrollment and\ncredentialing information required for PIV. IDMS has two components: the enrollment process\nand Card Management System (CMS). CPSPM enters and approves employees and contractors\nin IDMS, and OPSS maintains the creation of the HSPD-12 credential card and credential access\n\n\n\n\n7\n    5 C.F.R. \xc2\xa7 731.202(b)(1)(2) and (3).\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                     3\n\x0cin CMS. Once the PIV process is complete and a contractor is determined suitable for work,\nOPSS issues an HSPD-12 credential.\n\nAs part of the enrollment process, OPSS developed the Contractor Enrollment Request\nManagement System (CERMS) application for SSA COTRs to enter new contractors or remove\nexisting contractors from contracts. CERMS notified authorized personnel to issue or revoke\ncredentials to SSA contractors. The Electronic Personal Enrollment Credential System (EPECS)\nreplaced CERMS on February 24, 2012. EPECS provides a higher level of security than\nCERMS and a more efficient contractor management process for COTRs.\n\nRESULTS OF REVIEW\nCPSPM and OPSS have separate responsibilities for implementing the requirements of HSPD-\n12. We reviewed the processes for each office as they related to HSPD-12 suitability and\ncredentialing. During our review, we found instances when SSA\xe2\x80\x99s components did not follow\nprocedures for (1) terminating unsuitable contractors and ensuring investigations were complete,\n(2) cancelling terminated contractors\xe2\x80\x99 credentials, and (3) enforcing the collection and\ndestruction of credential cards.\n\nProcedures not followed for Terminating Unsuitable Contractors and\nCompleting Investigations\nSSA facilities and systems are put at risk when unsuitable contractors and their credentials are\nnot terminated immediately. According to SSA policy, 8 if a contractor has received an\nunsuitable adjudication, CPSPM must inform the COTR, CO and the contractor employer of the\naction, and the Agency is responsible for immediately cancelling the contractor\xe2\x80\x99s credential.\nDuring our review, we found two contractors working on SSA contracts for longer than 1 year\nafter an unsuitable determination. There were also unsuitable contractors who had been\nterminated from a contract, but their credentials were not cancelled timely. Additionally,\ncontractors with incomplete or discontinued investigations continued to work on SSA contracts.\n\nUnsuitable Contractors Continued Working on SSA Contracts\nWe reviewed a population of 6,057 contractors to determine whether there were unsuitable\ncontractors with active credentials during our audit period. For all contractors identified as\nunsuitable, we checked IDMS for HSPD-12 credentials. We identified three contractors who\nhad unsuitable determinations and active HSPD-12 credentials. Based on its initial background\ncheck, CPSPM approved these contractors for work on an SSA contract, and OPSS issued an\nHSPD-12 credential. However, based on the full OPM investigation, CPSPM\xe2\x80\x99s final\ndetermination for them was unsuitable.\n\n\n\n\n8\n    AIMS MRM, 04.51.05 D.1.\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                      4\n\x0cTwo of the three unsuitable contractors were still active on separate SSA contracts. One of the\ncontractors was working as a senior IT engineer, and the other was working on a construction\ncontract. Both contractors continued working on the contracts because the COTRs did not\nreceive a letter stating the final unsuitable determination. CPSPM could not verify an unsuitable\ndetermination letter was sent to the COTR or contracting officer in these cases. One contractor\nwas adjudicated unsuitable on July 20, 2011 and the other on August 17, 2011. Based on our\naudit work, both contractors were terminated and their credentials cancelled on\nSeptember 14, 2012. A third contractor, who was providing IT support services, continued\nworking on an SSA contract for 25 days after the unsuitable determination. This contractor\nresigned in 2011 for reasons unrelated to his suitability; however, reinstatement on the contract\nwas possible for up to 1 year since the COTR was not informed of an unsuitable adjudication.\n\nOPSS and other IDMS users depend on the system\xe2\x80\x99s validity when making decisions affecting\naccess approval. During our fieldwork, we found 10 unsuitable contractors out of the same\ncontractor population, including the 3 noted above, who still had a favorable suitability status in\nthe IDMS. OPSS stated they were not notified of a change in the contractors\xe2\x80\x99 final suitability\ndeterminations from suitable to unsuitable. Contractors with suitable determinations in IDMS\ncan have their physical and system access reinstated within 1 year after they stop working on the\ncontract without going through the PIV process again. Therefore, it is imperative that the\nsuitability information in IDMS be correct.\n\nOur review noted SSA did not follow procedures for terminating three unsuitable contractors.\nDuring our review, we reconciled the suitability information in CSS with the information in\nIDMS. CPSPM and OPSS could periodically conduct a similar reconciliation to ensure\nunsuitable contractors are terminated and their credentials cancelled.\n\nTerminated Unsuitable Contractors with Active Credentials\nPhysical access controls provide assurance that SSA\xe2\x80\x99s facilities are secure. FIPS 201 requires\nthat the credential of an unsuitable contractor be cancelled within 18 hours of notification.\nDuring our review, we noted three unsuitable contractors, included in the 10 contractors noted\nabove, had been terminated from the SSA contracts; however, their credential access was not\ncancelled for 11 months, 6 months, and 83 days, respectively. Two of the three were working as\nsecurity guards in SSA facilities; their credential access was not cancelled for 11 months and\n83 days after their terminations due to an unsuitable determination. The third contractor was\nproviding janitorial services; his credential access was cancelled 6 months after his termination.\n\nOPSS maintains that, in most cases, it cancels a credential within 4 hours of notification from the\nCOTR. We were unable to verify why it took so long to cancel these credentials. It could be the\nresult of poor communication between OPSS and the COTRs or OPSS\xe2\x80\x99 failure to cancel the\ncredential according to policy. Weak controls over credential termination compromise the\nsecurity of SSA facilities and employees.\n\nActive Contractors with Discontinued OPM Investigations\nWe selected a probe sample of 25 contractors who had active credentials but did not appear to\nhave suitability investigations. We found three contractors who had active HSPD-12 credentials,\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                     5\n\x0cbut their OPM investigations were not completed. CPSPM told us that when OPM returns a file\nwith an incomplete investigation, CPSPM gathers the missing information and sends the file\nback to OPM for completion. CPSPM stated that a returned file does not necessarily indicate an\napplicant is unsuitable; a file could be returned because of missing information. Even though\nCPSPM could not produce suitability letters for these contractors, all three were issued HSPD-12\ncredentials.\n\n\xe2\x80\xa2   In 2009, while conducting an initial background investigation, CPSPM found one contractor\n    had an arrest. CPSPM requested additional information from the contractor and received no\n    response. CPSPM then discontinued the investigation due to noncompliance. However, the\n    contractor was issued a credential and was working on an IT services contract at the time of\n    our fieldwork. As a result of this finding, CPSPM was conducting a new investigation and,\n    based on the preliminary background check, determined the contractor is suitable to continue\n    working pending the full OPM investigation.\n\n\xe2\x80\xa2   CPSPM could not explain why the OPM investigations were halted for the other two\n    contractors. Both contractors were working on IT contracts. One of these contractors\n    resigned from the contract in July 2011. The other accepted a position as an SSA employee\n    in August 2012 and was undergoing an employee background investigation at the time of this\n    review.\n\nCPSPM was unable to confirm why these two investigations remained incomplete. OPSS and\nthe COTRs told us they were not informed of a discontinued investigation so the contractors\ncontinued working on SSA contracts. SSA facilities and systems could be at risk when a\ncontractor is allowed to continue working without a complete OPM background investigation.\n\nProcedures not Followed for Cancelling Credentials of Terminated Contractors\nFIPS 201 requires that all changes in the credential holder\xe2\x80\x99s status be reflected in the system\nwithin 18 hours of notification. For example, when a contractor no longer requires access to\nSSA or their employment on a contract is terminated, the HSPD-12 credential and electronic\ncertificates it contains must be revoked within 18 hours of notification. We found weaknesses in\nthe procedures for cancelling credentials of terminated contractors.\n\nTo determine whether contractors with active credentials were still working on an SSA contract,\nwe selected 50 suitable contractors who had active credentials during our review period. We\nrequested that the SSA COTR and contractors\xe2\x80\x99 employers verify that contractors were still\nworking on an SSA contract. We determined 7 of the 50 contractors had terminated an SSA\ncontract either before or during our audit period, but they still had active credential cards with\nphysical access enabled.\n\nWe selected 50 suitable contractors whose credentials were cancelled during our review period.\nWe requested that the SSA COTR verify that the contractor had terminated an SSA contract\nduring the period. We found 11 of the 50 contractors had terminated an SSA contract, but their\nHSPD-12 credentials were not deactivated within 18 hours. Based on our review, these were\nsuitable contractors who left their respective contracts for reasons other than suitability. We\nnoted their credentials were not deactivated for 13 days to 1 year from the date of termination.\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                        6\n\x0cOPSS told us the COTR must notify OPSS if a contractor has terminated the contract so physical\naccess can be terminated within 18 hours of the contractor termination. However, in these cases,\nwe could not determine whether the COTRs neglected to notify OPSS of the contractor\ntermination or the COTR notified OPSS of a contractor termination, but OPSS neglected to\ncancel the credential within 18 hours.\n\nWe also found 6 of the 50 contractors whose credentials were cancelled had stopped working on\nan SSA contract but still had HSPD-12 credentials with physical access. We asked OPSS to\nexplain how contractors with physical access were included in our terminated contractor sample\npopulation. OPSS told us that when physical access needs to be terminated immediately,\ncredentials can be deactivated outside of the system process. Deactivation generally occurs in\nIDMS, which triggers deactivation in CMS. CMS has two subsystems: one for physical access\nand another for logical access (see Figure 2). Deactivation would automatically take place in\nthese subsystems. However, OPSS can deactivate a contractor\xe2\x80\x99s access in one subsystem, which\nbypasses the system process that deactivates access in all systems. OPSS must then manually\ncancel access in all other systems and subsystems. For 6 of the 50 contractors who terminated\nbut still had physical access, OPSS had not cancelled access in all systems.\n\n                                    Figure 2: HSPD-12 Access Systems\n\n\n\n\nProcedures for Collecting and Destroying Credentials not Enforced\nAccording to FIPS 201, normal termination procedures must be in place to ensure contractor\ncredential cards are collected and destroyed. SSA 9 guidance instructs supervisors or project\nofficers to contact the HSDP-12 help desk within 18 hours of a contractor\xe2\x80\x99s separation to\nterminate physical and logical access and render the card unreadable.\n\nWe selected a sample of 50 contractors who were terminated during the audit period and asked\nthe COTRs and OPSS to verify the contractors\xe2\x80\x99 credential cards had been collected and\ndestroyed.\n\n\n9\n    AIMS MRM, 04.51, Personal Identity Verification and Credential Issuance Process.\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                   7\n\x0c\xe2\x80\xa2   For 40 of the 50 contractors, the COTRs told us they collected the terminated credential\n    cards; however, there was no record the credential card had been collected and destroyed.\n    OPSS also could not verify the collection and destruction of the cards.\n\n\xe2\x80\xa2   For 8 of the 50 contractors, the COTRs told us they were unable to collect the contractors\xe2\x80\x99\n    credential cards. OPSS could not tell us whether these cards were collected.\n\n\xe2\x80\xa2   For 2 of the 50 contractors, the COTR could not be located for inquiry because of outdated\n    contract information in SSA systems.\n\nOPSS did not maintain a record of returned credential cards. Therefore, it cannot confirm that a\nspecific credential had been collected and destroyed; they could only confirm the credential had\nbeen deactivated in the system. OPSS told us deactivating credentials in the system is the\nprevailing control because it destroys the card\xe2\x80\x99s electronic authentication, which will prevent an\nunauthorized person from entering an SSA building where a card reader has been installed. At\nthe time of our review, card readers had been installed at SSA Headquarters, the National\nComputer Center, and most of the outlying SSA buildings. However, we found one building\nwhere no card reader was installed at either of the two entrances and another building where\nthere was a card reader at the main entrance but not at the side entrance. At a third location, a\nsecurity guard told us the card readers were not working at one entrance so they were not being\nused at either of the two entrances.\n\nAdditionally, HSPD-12 is a Government-wide identification and can be used to enter other\nFederal facilities. In Federal facilities that do not have card readers, credentials may be used for\nvisual identification only. Thus, any SSA-terminated contractor still holding a credential could\ngain access to Federal buildings that do not have card readers. The deactivation and collection of\nterminated credential cards provides greater assurance that terminated contractors cannot enter\nsecured facilities.\n\nCONCLUSIONS\nOur audit work identified vulnerabilities in the HSPD-12 suitability and credentialing processes\nat SSA. Overall, our review determined that SSA did not have adequate internal controls over\nissuing and monitoring HSPD-12 credentials. During our review, we found instances when\nSSA\xe2\x80\x99s components did not follow procedures for (1) terminating unsuitable contractors and\nensuring investigations were complete, (2) cancelling terminated contractors\xe2\x80\x99 credentials, and\n(3) enforcing the collection and destruction of credential cards.\n\nContractor suitability determinations are made to prevent unsuitable contractors from accessing\nSSA facilities and sensitive information. In a few cases, we determined that OPSS and COTRs\nwere not always informed of the results of unsuitable determinations. This resulted in three\nunsuitable contractors who continued to work on SSA contracts after they had been given an\nunsuitable determination. Two of the three worked on SSA contracts for over 1 year after an\nunsuitable determination. CPSPM must record the suitability determination into the IDMS to\ninitiate the creation of a credential. Since the system allows or denies access based on suitability,\nit is crucial that the IDMS reflect the correct suitability determination to ensure unsuitable\ncontractors cannot access SSA buildings. During the course of this review, OPSS began\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                        8\n\x0creplacing the IDMS with the Electronic Personal Enrollment and Credentialing System (EPECS).\nEPECS provides CPSPM and COTRs additional tools and functionality for updating contractor\nstatus following an initial suitability determination and throughout the lifetime of the credential.\nThese additional tools, while still dependent on solid business processes for communicating an\nindividual\xe2\x80\x99s suitability status to the COTR, CO, contracting company and OPSS, provide\nCPSPM the ability to revoke logical and physical access immediately, but not later than 18 hours\nafter notification of an unsuitable adjudication.\n\nWeaknesses in the controls over credential cancellation of terminated contractors compromise\nthe security of SSA facilities and employees. We found terminated contractor credentials with\nactive physical access and credentials that were not deactivated within 18 hours of termination.\nAlso, we found that in some cases, OPSS bypassed the normal system process to deactivate\ncredentials. OPSS did not manually cancel access in all other subsystems as required so access\ninformation was incorrect in certain subsystems. Additionally, COTRs are responsible for\ncommunicating changes to contractor employment. If COTRs do not provide notification of a\ncontractor termination, the contractor status may be incorrect in the system.\n\nAccording to FIPS 201, normal termination procedures must be in place to ensure contractor\ncredential cards are collected and destroyed. OPSS did not maintain a record of returned\ncredential cards. Therefore, it could not confirm a specific credential had been collected and\ndestroyed only that it had been deactivated in the system.\n\nRECOMMENDATIONS\nTo ensure SSA facilities and property are properly secured and safeguarded, SSA needs\nassurance that controls over HSPD-12 suitability and credentialing are followed and enforced.\nTherefore, we recommend SSA:\n\n1. Ensure all components involved in the HSPD-12 suitability and credentialing process\n   effectively communicate unsuitable determinations, contractor terminations and changes in\n   SSA contracts including COTR changes.\n\n2. Perform periodic reconciliations between the suitability and credentialing systems to\n   determine whether unsuitable or terminated contractors have been terminated, their\n   credentials cancelled, and their suitability determination is correct in all appropriate systems.\n\n3. Ensure contractors who have been terminated outside of the normal system termination\n   process are also cancelled in all systems.\n\n4. Document its collection and destruction of terminated credentials in accordance with\n   FIPS 201.\n\nAGENCY COMMENTS\nThe Agency agreed with our recommendations. The Agency\xe2\x80\x99s complete comments are included\nin Appendix C.\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                      9\n\x0c                                       APPENDICES\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)\n\x0cAppendix A \xe2\x80\x93 SCOPE AND METHODOLOGY\nTo accomplish our objectives, we:\n\n\xe2\x80\xa2   Reviewed the Presidential Directive, Federal regulations, and Office of Management and\n    Budget memorandums related to the implementation of Homeland Security Presidential\n    Directive-12 (HSPD-12).\n\n\xe2\x80\xa2   Reviewed Federal Information Processing Standard 201-1 and Administrative Instruction\n    Manual System guidance on personal identity verification and the credential issuance\n    process.\n\n\xe2\x80\xa2   Interviewed management and staff from the Center for Personnel Security and Project\n    Management and Office of Protective Security Services to gain an understanding of the\n    processes and controls related to HSPD-12 suitability and credentialing.\n\n\xe2\x80\xa2   Observed the system screens and processes for enrolling, approving, and issuing an HSPD-12\n    credential.\n\n\xe2\x80\xa2   Obtained suitability data for all current or terminated contractors from the Contractor\n    Suitability System (CSS) for the audit period.\n\n\xe2\x80\xa2   Obtained credential data for all current or terminated contractors from Identity Management\n    System (IDMS) for the audit period.\n\n\xe2\x80\xa2   Performed a reconciliation of contractor data between the CSS and IDMS and tested samples\n    to ensure controls and procedures were followed.\n\n\xe2\x80\xa2   Reviewed a sample of contractor background investigation files for completeness.\n\n\xe2\x80\xa2   Observed card readers at Agency buildings in Woodlawn.\n\nWe determined the computerized data used during our review were sufficiently reliable given\nour objectives, and the intended use of the data should not lead to incorrect or unintentional\nconclusions.\n\nWe performed our fieldwork at Headquarters in Baltimore, Maryland, from October 2011\nthrough September 2012. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusion based on our audit objectives\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                    A-1\n\x0cAppendix B \xe2\x80\x93 FLOWCHARTS AND NARRATIVES\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)   B-1\n\x0cSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)   B-2\n\x0cPersonal Identity Verification\nThe Personal Identification Verification (PIV) credential is personalized with identity\ninformation about the individual to whom the card is issued. FIPS 201 creates a structured\nprocess for sponsoring and processing individuals in the PIV system and for issuing\ncredentials. The process calls for \xe2\x80\x9ctrusted individuals\xe2\x80\x9d who are vetted, trained, and certified for\nspecific roles to ensure a separation of duties throughout the process. This is to ensure that no\nsingle individual can corrupt the system and issue a credential. The specific roles within the\nprocess are as follows.\n\n\xe2\x80\xa2   Applicant - An employee, contractor, or other individual requiring access to a Government\n    facility or system.\n\n\xe2\x80\xa2   Sponsor \xe2\x80\x93 The Sponsor (COTR) is responsible for initiating the HSPD-12 enrollment of the\n    employee or contractor applicant. The Sponsor is responsible for\n\n        o entering the applicant\xe2\x80\x99s personal and work information,\n        o collecting the biometric identity of applicants through a fingerprint scan,\n        o capturing the applicant\xe2\x80\x99s picture, and\n        o scanning the applicant\xe2\x80\x99s identity documents.\n\n\xe2\x80\xa2   Registrar - The Registrar (CPSPM) conducts a Numident check to validate the applicant\xe2\x80\x99s\n    identity and ensure the identity documents are authentic.\n\n\xe2\x80\xa2   Determination Officer (DO) \xe2\x80\x93 The DO (CPSPM) ensures an appropriate background\n    investigation is initiated and makes a final suitability determination. The DO also verifies\n    and inputs the date and results of the fingerprint check in IDMS.\n\n\xe2\x80\xa2   Issuer - The Issuer (OPSS) issues the credential to an applicant after completing the\n    following.\n\n        o Verify Identity of the Applicant in relation to the Sponsor\xe2\x80\x99s input of the identity\n          document.\n        o Verify the Biometric Identity of the Applicant through a Fingerprint Scan.\n        o Activate the Credential in CMS.\n        o Assist the Applicant in applying the six to eight-digit personal identification number\n          to the credential.\n\nPIV Process Flow\nThe PIV process begins when the contractor applicant completes either a Form SF-85\n(Questionnaire for Non Sensitive Positions) or a Form SF-85P (Questionnaire for Public Trust\nPositions). The applicant provides SSA with these Forms along with a Fair Credit Report\nAuthorization (FCRA), an OF 306 form (Declaration for Federal Employment), two completed\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                      B-3\n\x0cFD-258 fingerprint cards and two I-9 identity documents. An Applicant who is a non-citizen\nmust also provide work authorization forms. If an applicant claims to have had a background\ninvestigation from another Federal agency, CPSPM will verify the investigation with the Office\nof Personnel Management (OPM). If a higher level background investigation is required for the\ncurrent contract than is on record, CPSPM will require that the applicant complete paperwork for\nthe higher level investigation. The CPSPM conducts a prescreen background check which\nincludes a National Criminal Investigations Center (NCIC) check, verification of Social Security\nnumber, citizenship check, and check for Selective Service System registration, where\napplicable.\n\nBased on the results of the prescreen background check, CPSPM will issue either a suitable or\nunsuitable determination letter to the contractor employer, SSA Contracting Officer (CO), and\nSponsor (COTR). If the suitability determination is favorable, the Sponsor (COTR) is\nresponsible for entering the applicant\xe2\x80\x99s information into EPECS (previously CERMS). The\nRegistrar/DO will verify all information. The DO enters the suitability determination in IDMS,\nwhich approves credential issuance. The Issuer issues a temporary credential and sends an\nelectronic message to the credential manufacturer to print a credential. This allows the\ncontractor to begin work while a full background investigation is completed by OPM.\n\nOnce the Issuer receives the printed credential card, the applicant appears before the Issuer with\nhis/her I-9 identification documents that were presented at the beginning of the process. The\nIssuer validates the actual identification against the picture identification, compares I-9\ndocuments, and electronically compares the Applicant's fingerprints to those in IDMS. The\nIssuer downloads the electronic certificates onto the credential, and the applicant changes his or\nher password in the system. The Issuer signs the credential finalizing the credential process and\ngives the credential to the Applicant. If the identification check fails, the Issuer notifies the\nRegistrar and Sponsor who either resolve the identification issue or deny the credential to the\nApplicant.\n\nOnce the OPM investigation is complete, the investigative report is submitted to the DO for\nadjudication. If the DO\xe2\x80\x99s final adjudication is suitable, the contractor continues to perform SSA\ncontract work and no further action is required. If the final adjudication is unsuitable, CPSPM\nissues an unsuitable letter to the contractor employer, CO and COTR. The COTR is responsible\nfor ensuring the contractor is removed from the contract, notifying OPSS to cancel the credential\nand collecting the contractor\xe2\x80\x99s credential.\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                   B-4\n\x0c           Appendix C \xe2\x80\x93 AGENCY COMMENTS\n\n\n\n\n                                            SOCIAL SECURITY\n\n MEMORANDUM\n\nDate:      March 28, 2013                                                                  Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Katherine Thornton    /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s Internal\n           Controls over Issuing and Monitoring Contractors\xe2\x80\x99 Homeland Security Presidential Directive-12\n           Credentials\xe2\x80\x9d (A-15-11-11178)\xe2\x80\x94INFORMATION\n\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Gary S. Hatcher at (410) 965-0680.\n\n\n\n           Attachment\n\n\n\n\n           SSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                       C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S INTERNAL CONTROLS OVER\nISSUING AND MONITORING CONTRACTORS\xe2\x80\x99 HOMELAND SECURITY\nPRESIDENTIAL DIRECTIVE (HPSD)-12 CREDENTIALS\xe2\x80\x9d (A-15-11-11178)\n\nRecommendation 1\n\nEnsure all components involved in the HSPD-12 suitability and credentialing process effectively\ncommunicate unsuitable determinations, contractor terminations, and changes in SSA contracts,\nincluding COTR changes.\n\nResponse\n\nWe agree. The Office of Security and Emergency Preparedness\xe2\x80\x99 Office of Protective Security\nServices and the Office of Personnel\xe2\x80\x99s Center for Personnel Security and Project Management\nare developing a Memorandum of Understanding to document, in detail, the communication\nresponsibilities of all parties involved in the contractor issuance and revocation processes for\nHSPD-12 credentials. In addition, we fully implemented the automated Electronic Personal\nEnrollment and Credentialing System (EPECS) on February 24, 2013.\n\nEPECS provides a higher level of security than our previous credentialing system and a more\nefficient contractor management process for the Contracting Officer Technical Representatives.\nEPECS provides additional tools and functionality for updating contractor status following an\ninitial suitability determination and throughout the lifetime of the credential. We are updating\nthe related Administrative Instruction Manual System Guide (AIMS), Material Resources\nManual 04.51, \xe2\x80\x9cPersonal Identity Verification and Credential Issuance Process,\xe2\x80\x9d to reflect all\nparties\xe2\x80\x99 roles and responsibilities within the new system.\n\nRecommendation 2\n\nPerform periodic reconciliations between the CSS and IDMS systems to determine whether\nunsuitable or terminated contractors have been terminated, their credentials cancelled, and their\nsuitability determination is correct in all appropriate systems.\n\nResponse\n\nWe agree. We replaced the Identity Management System (IDMS) with EPECS. We will ensure\nperiodic reconciliation between EPECS and the Common System Services, as it may add value\nto the current business process.\n\nRecommendation 3\n\nEnsure contractors who have been terminated outside of the normal system termination process\nare also cancelled in all systems.\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)                      C-2\n\x0cResponse\n\nWe agree.\n\nRecommendation 4\n\nDocument its collection and destruction of terminated credentials in accordance with FIPS 201.\n\nResponse\n\nWe agree. We will determine the most cost-effective and time-sensitive approach for tracking\nthe collection and destruction of terminated credentials.\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)               C-3\n\x0cAppendix D \xe2\x80\x93 MAJOR CONTRIBUTORS\nVictoria Vetter, Director, Financial Audit Division\n\nJudith Kammer, Audit Manager, Financial Audit Division\n\nKali Biagioli, Senior Auditor, Financial Audit Division\n\n\n\n\nSSA\xe2\x80\x99s Internal Controls over Contractors\xe2\x80\x99 HSPD-12 Credentials (A-15-11-11178)   D-1\n\x0c                                           MISSION\nBy conducting independent and objective audits, evaluations, and investigations, the Office of\nthe Inspector General (OIG) inspires public confidence in the integrity and security of the Social\nSecurity Administration\xe2\x80\x99s (SSA) programs and operations and protects them against fraud,\nwaste, and abuse. We provide timely, useful, and reliable information and advice to\nAdministration officials, Congress, and the public.\n\n\n                                   CONNECT WITH US\nThe OIG Website (http://oig.ssa.gov/) gives you access to a wealth of information about OIG.\nOn our Website, you can report fraud as well as find the following.\n   \xe2\x80\xa2   OIG news                                  In addition, we provide these avenues of\n   \xe2\x80\xa2   audit reports\n                                                 communication through our social media\n                                                 channels.\n   \xe2\x80\xa2   investigative summaries\n   \xe2\x80\xa2   Semiannual Reports to Congress                Watch us on YouTube\n   \xe2\x80\xa2   fraud advisories                              Like us on Facebook\n   \xe2\x80\xa2   press releases\n                                                     Follow us on Twitter\n   \xe2\x80\xa2   congressional testimony\n   \xe2\x80\xa2   an interactive blog, \xe2\x80\x9cBeyond The              Subscribe to our RSS feeds or email updates\n       Numbers\xe2\x80\x9d where we welcome your\n       comments\n\n\n                          OBTAIN COPIES OF AUDIT REPORTS\nTo obtain copies of our reports, visit our Website at http://oig.ssa.gov/audits-and-\ninvestigations/audit-reports/all. For notification of newly released reports, sign up for e-updates\nat http://oig.ssa.gov/e-updates.\n\n\n                          REPORT FRAUD, WASTE, AND ABUSE\nTo report fraud, waste, and abuse, contact the Office of the Inspector General via\n   Website:        http://oig.ssa.gov/report-fraud-waste-or-abuse\n   Mail:           Social Security Fraud Hotline\n                   P.O. Box 17785\n                   Baltimore, Maryland 21235\n   FAX:            410-597-0118\n   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time\n   TTY:            1-866-501-2101 for the deaf or hard of hearing\n\x0c"